Routing between IPSEC VPN's on a Cisco Pix506E?

Discussion in 'Cisco' started by Nate731, Apr 5, 2006.

  1. Nate731

    Nate731 Guest

    Hwody, I've got a T1 to my office with a Pix506E running firewall
    duties. Our VPN network topology is hub and spoke with the Office being
    the hub and 11 spokes with IPSEC VPN's to some linksys BEFVP41 routers.
    We also have 8 users randomly using the Cisco Software VPN client as
    well. I need to be able to route traffic between all spokes as well as
    the software client. As it sits now, Traffic from the spokes and the
    Cisco client stop at the office. Is this possible with a Pix?

    Current config...

    PIX Version 6.2(3)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password ********* encrypted
    passwd ********* encrypted
    hostname ******
    domain-name ******
    clock timezone CST -6
    clock summer-time CDT recurring
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    fixup protocol sip udp 5060
    names
    object-group network StoreVPN
    network-object 192.168.50.0 255.255.255.0
    network-object 192.168.52.0 255.255.255.0
    network-object 192.168.53.0 255.255.255.0
    network-object 192.168.55.0 255.255.255.0
    network-object 192.168.56.0 255.255.255.0
    network-object 192.168.58.0 255.255.255.0
    network-object 192.168.60.0 255.255.255.0
    network-object 192.168.61.0 255.255.255.0
    network-object 192.168.62.0 255.255.255.0
    network-object 192.168.71.0 255.255.255.0
    network-object 192.168.72.0 255.255.255.0
    object-group service sip tcp-udp
    description sip
    port-object range 5060 5060
    port-object range 5004 5004
    object-group network CiscoClient
    network-object 10.1.1.0 255.255.255.0
    access-list outside_in permit icmp any any echo-reply
    access-list outside_in permit icmp any any echo
    access-list outside_in permit icmp any any unreachable
    access-list outside_in permit icmp any any time-exceeded
    access-list outside_in permit icmp any any source-quench
    access-list outside_in permit tcp any host **External IP** eq www
    access-list outside_in permit tcp any host **External IP** eq pop3
    access-list outside_in permit tcp any host **External IP** eq 5900
    access-list outside_in permit tcp any host **External IP** eq smtp
    access-list outside_in permit tcp any host **External IP** eq 17888
    access-list outside_in permit tcp any host **External IP** eq 9008
    access-list outside_in permit tcp any host **External IP** eq ftp
    access-list outside_in permit tcp any host **External IP** eq
    pcanywhere-data
    access-list outside_in permit tcp any host **External IP** eq 5632
    access-list outside_in permit tcp any host **External IP** eq 11999
    access-list outside_in permit tcp any host **External IP** eq 11998
    access-list split-tunnel permit ip 10.0.0.0 255.255.255.0 10.1.1.0
    255.255.255.0

    access-list inside_outbound_nat0_acl permit ip any 10.1.1.0
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.55
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.50
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.52
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.53
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.56
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.58
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.60
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.61
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.62
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.72
    ..0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.0.0.0 255.255.255.0
    192.168.71
    ..0 255.255.255.0
    access-list outside_inbound_nat0_acl permit ip object-group CiscoClient
    object-g
    roup StoreVPN
    access-list outside_inbound_nat0_acl permit ip object-group StoreVPN
    object-grou
    p CiscoClient
    access-list nate_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    access-list Tammy_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    access-list Brian_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    access-list Dispatch_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0
    any
    access-list Amy_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    access-list Karen_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    access-list Sarah_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    access-list 58_splitTunnelAcl permit ip 10.0.0.0 255.255.255.0 any
    pager lines 24
    interface ethernet0 auto
    interface ethernet1 auto
    mtu outside 1500
    mtu inside 1500
    ip address outside **External IP** 255.255.255.252
    ip address inside 10.0.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpn-pool 10.1.1.1-10.1.1.254
    pdm location 10.0.0.0 255.255.255.0 outside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface www 10.0.0.2 www netmask
    255.255.255.255 0
    0
    static (inside,outside) tcp interface pop3 10.0.0.2 pop3 netmask
    255.255.255.255
    0 0
    static (inside,outside) tcp interface 5900 10.0.0.2 5900 netmask
    255.255.255.255
    0 0
    static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask
    255.255.255.255
    0 0
    static (inside,outside) tcp interface 17888 10.0.0.9 17888 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) tcp interface 9008 10.0.0.9 6129 netmask
    255.255.255.255
    0 0
    static (inside,outside) tcp interface ftp 10.0.0.2 ftp netmask
    255.255.255.255 0
    0
    static (inside,outside) tcp interface 17889 10.0.0.9 17889 netmask
    255.255.255.2
    55 0 0
    static (inside,outside) tcp interface 11999 10.0.0.103 3389 netmask
    255.255.255.
    255 0 0
    static (inside,outside) tcp interface pcanywhere-data 10.0.0.18
    pcanywhere-data
    netmask 255.255.255.255 0 0
    static (inside,outside) tcp interface 5632 10.0.0.18 5632 netmask
    255.255.255.25
    5 0 0
    static (inside,outside) tcp interface 11998 10.0.0.107 3389 netmask
    255.255.255.
    255 0 0
    access-group outside_in in interface outside
    route outside 0.0.0.0 0.0.0.0 **T1 Router IP** 1
    timeout xlate 8:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 si
    p 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    no sysopt route dnat
    crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set test1 ah-md5-hmac esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 4 set transform-set strong-des
    crypto dynamic-map inside_dyn_map 30 set pfs group2
    crypto dynamic-map inside_dyn_map 30 set transform-set ESP-3DES-SHA
    ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 10 set transform-set strong-des
    crypto dynamic-map outside_dyn_map 10 set security-association lifetime
    seconds
    3600 kilobytes 4608000
    crypto map partner-map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map partner-map client configuration address respond
    crypto map test 10 ipsec-isakmp dynamic outside_dyn_map
    crypto map test interface outside
    isakmp enable outside
    isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 7200
    vpngroup nate address-pool vpn-pool
    vpngroup nate dns-server 10.0.0.9
    vpngroup nate wins-server 10.0.0.1
    vpngroup nate default-domain LLOC
    vpngroup nate split-tunnel nate_splitTunnelAcl
    vpngroup nate idle-time 1800
    vpngroup nate password ********
    vpngroup Dispatch address-pool vpn-pool
    vpngroup Dispatch dns-server 10.0.0.9
    vpngroup Dispatch wins-server 10.0.0.1
    vpngroup Dispatch default-domain LLOC
    vpngroup Dispatch split-tunnel Dispatch_splitTunnelAcl
    vpngroup Dispatch idle-time 1800
    vpngroup Dispatch password ********
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 10
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 5
    vpdn enable outside
    terminal width 80
    Cryptochecksum:******
    : end



    Any ideas?
     
    Nate731, Apr 5, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joris Deschacht
    Replies:
    0
    Views:
    3,966
    Joris Deschacht
    Oct 16, 2003
  2. Ian Sime

    VPN Client / PIX506e

    Ian Sime, Jan 28, 2004, in forum: Cisco
    Replies:
    0
    Views:
    501
    Ian Sime
    Jan 28, 2004
  3. bob
    Replies:
    2
    Views:
    535
  4. aimeruko

    Cisco 1841 and Pix506e VPN

    aimeruko, Sep 26, 2006, in forum: General Computer Support
    Replies:
    0
    Views:
    1,534
    aimeruko
    Sep 26, 2006
  5. HAIFA-ZAKARIA
    Replies:
    0
    Views:
    405
    HAIFA-ZAKARIA
    May 29, 2007
Loading...

Share This Page